Terrorists can still kill you by hacking your pacemaker, but now they’ll leave evidence
A software firm is developing a program to detect whether a person’s medical device was externally hacked in order to kill them, according to New Scientist.
As far-fetched as it might sound, wireless hacking of medical devices is a real risk that scientists are coming to grips with. The U.S. Department of Homeland Security (DHS) announced in October that it is looking into security flaws in more than 20 medical devices, including implants, that that hackers could potentially exploit to take control of the device and interfere with its functioning.
Members of DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) say that a heart pump by Hospira and cardiac implants by Medtronic and St Jude Medical all have security flaws that could make them vulnerable to external hacking.
This technique was used to kill a character in the TV series Homeland, but thus far, no one has reported that a person died because of remote tampering with their medical devices.
Nonetheless, former Vice President Dick Cheney had all forms of wireless access to his own pacemaker deactivated before the device was implanted into his own chest.
ICS-CERT issued a warning in June that some 300 different kinds of wireless medical devices made by 40 companies all have un-changeable wireless passwords. If a malicious hacker were to obtain a device’s password, physicians would be helpless to prevent them from controlling the device.
A hacker could cause an infusion pump to deliver a drugs too quickly, causing an overdose, or even force a patient’s heart into arrhythmia or deliver a lethal jolt of electricity by seizing control of a pacemaker.
Cryptographer Noureddine Boudriga at the University of Carthage in Tunisia and forensic medic Mohamed Allouche at the University of Tunis El Manar are working on software that could examine a cardiac device’s operational history to detect whether it was tampered with prior to a patient’s death.
In a post-mortem examination, the new software could identify whether a pacemaker was remotely ordered to produce changes that led to a heart attack.
The program could be altered, said the team, to work with any other medical device.
Furthermore, the team suggested that on future devices, protections be implemented to keep the devices’ service and operations data safe from external tampering.
“That would be proof against everything but a malicious pathologist,” said Boudriga to New Scientist.
Kevin Fu, director of the Ann Arbor Research Center for Medical Device Security at the University of Michigan agreed with Boudriga’s team that devices must have incorruptible records of their functioning.
“Medical device forensics is an important and necessary area,” Fu said.
Computer engineering expert Sujeet Shenoi at the University of Tulsa in Oklahoma said that the very thing that makes the devices so useful — the ability to access, reprogram, configure them and change their settings from outside the body — is the very thing that makes them vulnerable to hackers.
“The medical device manufacturers,” said Shenoi, “are now working hard behind the scenes to stop this happening.”